System and method for securing fiber channel drive access in a partitioned data library

ABSTRACT

A storage area network associated data library partitioning system comprises a plurality of storage slot elements adapted to store data storage media, at least one set of at least one of the slots is assigned to one partition of a plurality of partitions, and a plurality of data transfer elements that are adapted to receive the media and transfer data to and from the media, each of at least one set of at least one of the data transfer elements is assigned to one of the partitions, at least one data transfer element of each of the partitions hosts a logical element designation of a virtual controller for each of the partitions, the virtual controllers restricting movement of the media to between the set of slots and the set of data transfer elements assigned to a same of the partitions.

RELATED APPLICATIONS

The present invention is related to the following copending and commonlyassigned U.S. patent applications: Ser. No. [30014510-1] entitled Systemand Method for Partitioning a Storage Area Network Associated DataLibrary, filed Dec. 28, 2001; Ser. No. [30014511-1] entitled System andMethod for Partitioning a Storage Area Network Associated Data LibraryEmploying Element Addresses, filed Dec. 28, 2001; Ser. No. [30014512-1]entitled System and Method for Managing Access To Multiple Devices in aPartitioned Data Library, filed Dec. 28, 2001; Ser. No. [30014513-1]entitled System and Method for Peripheral Device Virtual FunctionalityOverlay, filed Dec. 28, 2001; Ser. No. [30014514-1] entitled System andMethod for Securing Drive Access to Media Based On Medium IdentificationNumbers, filed Dec. 28, 2001; Ser. No. [30014515-1] entitled System andMethod for Securing Drive Access to Data Storage Media Based On MediumIdentifiers, filed Dec. 28, 2001; Ser. No. [30014517-1] entitled Methodfor Using Partitioning to Provide Capacity on Demand in Data Libraries,filed Dec. 28, 2001; Ser. No. [30014518-1] entitled System and Methodfor Intermediating Communication with a Moveable Media Library Utilizinga Plurality of Partitions, filed Dec. 28, 2001; and Ser. No.[30008195-1], entitled System and Method for Managing a Moveable MediaLibrary with Library Partitions, filed Dec. 28, 2001; the disclosures ofwhich are hereby incorporated herein by reference.

TECHNICAL FIELD

The present invention generally relates to data storage and specificallyto a system and method for securing fiber channel drive access in apartitioned data library

BACKGROUND

In certain storage area networks (SAN) usage scenarios, such as mayarise for storage service providers (SSPs), there are multiple customersattempting to share the same common SAN resources. In such cases, thereis a need to ensure that customers can only, see and access the storageresources they have been allocated and prevent them from accessingstorage of other customers. For example, if a customer stores theircritical business data with a SSP, then they generally do not want othercustomers of the SSP reading their data or even being aware that theyhave information stored with the SSP. The capability to partition a tapelibrary is known. However, special hardware or special backup softwareas described below has been used to implement partitioning.

Existing software-based data library partitioning solutions typicallyemploy a host system that restricts access to portions of a tapelibrary. The host restrictions are implemented by a mediating softwareprocess on a host system to enforce partition restrictions. However,this approach is problematic. Specifically, the approach is undesirableif the data library is utilized in a SSP environment. In SSPenvironments, the data library and the host systems may belong todifferent entities (e.g., the SSP and the customers). Placement ofsoftware mediating processes on host systems is unattractive, because itincreases the burden on the customers to make use of the storageservice. Moreover, many customers are unwilling to allow other partiesto place software on their host systems. Additionally, the softwaremediating process approach is typically incompatible with existing databack-up utilities, i.e., the software mediating process approachrequires the use of specialized data back-up applications. Hence, usersare effectively denied the ability to run desired backup software.

Existing fibre channel (FC) disk array firmware may be used to providesecurity in an FC redundant array of independent disks (RAID), since thedisk array firmware has direct control over the array's ports connectedto the SAN. Every host and device connection into the SAN generally hasa unique FC-based world-wide-name (WWN), which can be used by anFC-based RAID to uniquely identify a device or host connection.Therefore, the FC-disk array firmware may be configured so that hen ahost attempts to send a small computer systems interface (SCSI) commandto a FC-logical unit number LUN) inside the RAID, the firmware willcheck the originating WWN from the server that sent the command againsta list of authorized WWNs. If the WWN is on the list of authorized WWNsfor that RAID FC-LUN, the SCSI command may be processed, if the WWN isnot on the list of authorized WWNs for the RAID FC-LUN the command willbe rejected. The list of authorized WWN's for each RAID FC-LUN may beconfigured via the existing management software for the RAID.

However, if a standard existing SCSI device, such as a data tape libraryis connected to a FC SAN via existing FC interfaces, such as existing FCtape drives in the library, it is not possible to secure these devicesso that only certain hosts can access them, as individual existing FCtape drives do not support the FC WWN-based security discussed above. Asa typical example, if a FC tape drive is connected to a SAN, it isvisible to every server connected to that SAN. This circumstance isunacceptable for a SAN that offers secure storage resources to diversecustomers. Existing solutions do not allow fibre channel tape drivedevices to be secured in a SAN environment. The scheme to secure LUNsimplemented in FC disk arrays, as discussed above, does not extend tosecuring physical tape drives that make up a logical partition within aSAN attached tape library.

FC switches have the capability of configuring security zones thatdefine which WWNs or FC ports of a server can see which WWNs or FC portsof devices. However, this FC switch zoning does not extend to deviceLUNs, so it is only possible to provide security using such FC switchzoning at the FC port level. Even if tape libraries are directlyattached on a FC SAN, it would be very difficult for a user to definesecurity zones for the library tape drives. A data tape library can havemultiple FC tape drives, and may be logically partitioned intopartitions extending across multiple fibre channel tape drives.Therefore it would be difficult for a user to correctly identify whichFC ports and LUNs should be associated together in the same securityzone for an FC switch. Understandably, a user may easily make mistakesin such a manual configuration process.

Access to stand-alone native FC devices may be secured by using switchzoning, facilitated by a one-to-one relationship between a stand aloneFC drive and an accessing user's WWN. In a data library, the librarycontroller is typically placed behind a bridge. Configuring an FC switchfor switch zoning to secure such a controller adds a process for a SANadministrator to implement and coordinate with users. FC switchconfiguration is not typically under control of a library's managementcard.

SUMMARY OF THE INVENTION

One embodiment of a storage area network associated data librarypartitioning system comprises a plurality of storage slot elementsadapted to store data storage media, at least one set of at least one ofthe slots is assigned to one partition of a plurality of partitions, anda plurality of data transfer elements that are adapted to receive themedia and transfer data to and from the media, each of at least one setof at least one of the data transfer elements is assigned to one of thepartitions, at least one data transfer element of each of the partitionshosts a logical element designation of a virtual controller for each ofthe partitions, the virtual controllers restricting movement of themedia to between the set of slots and the set of data transfer elementsassigned to a same of the partitions.

A preferred embodiment of a method according to the present inventionfor partitioning a storage area network-associated data librarycomprises establishing a plurality of partitions in the data library,each of the partitions comprising at least one storage slot element andat least one data transfer element, each of the slots adapted to storemedia, and each of the data transfer elements adapted to receive themedia and transfer data to and from the media, assigning a differentlogical element designation to each of the library partitions andassigning a same logical element designation as a partition to a virtualcontroller hosted by at least one of the data transfer elements in lastthe partition, and restricting movement of the media to between theslots and the data transfer elements assigned to a same partition.

BRIEF DESCRIPTION OF THE DRAWING

FIG. 1 is a diagrammatic illustration of a SAN operating in accordancewith a preferred embodiment of the present invention; and

FIG. 2 is a diagrammatic illustration of an example of a data libraryoperating in accordance with an embodiment of the present invention.

DETAILED DESCRIPTION

The present invention is directed to system and method, which provide FCsecurity for FC resources of a partitioned data library. A surrogate LUNfor a library controller provided by one or more of the FC tape drivesin an SCSI-based data library partitioning system and method may also besecured in accordance with the present invention. A physical datalibrary implementing the present invention may be partitioned intomultiple virtual library partitions, with each library partition havingone or more physical drives, and a unique subset of library media slots,and a dedicated virtual library changer device LUN assigned to thepartition as discussed below. Such a data library partitioning systemand method is disclosed commonly-assigned in U.S. patent applicationSer. No. [30014511-1] entitled “System and Method for Partitioning aStorage Area Network Associated Data Library Employing ElementAddresses”. Preferably the present invention does not requiremodification to existing library hardware for implementation. Thepresent invention is preferably implemented employing firmwaremodifications to subject FC-based drives and library controller(s).

Turning to FIG. 1, SAN 100 is shown. By way of example, first and secondcustomer servers 101 and 102 are connected to SAN 100 via FC switch 103.RAID 104 may be partitioned using existing LUN-based RAID partitioningmethods, for example, assigning first partition 105 to server 101 andsecond partition 106 to server 102. Zero downtime backups (ZDBs) may beperformed of the data each server has on the RAID to tape library 108,via ZDB interconnectivity 107 between RAID 104 and tape library 108.Such ZDBs preferably employ data-mover firmware embodied in RAID 104 orother elements of SAN 100. Such ZDBs are preferably carried out withoutimpinging on the processor operations or LAN capacity of servers 101 and102. Tape library 108 is preferably partitioned employing theaforementioned system and method for library logical partitioning toinsure that data for server 101 is maintained in partition 109 separatefrom data for server 102, and that the data of server 102 is maintainedin partition 110 separate from data for server 101. Such partitioningfacilitates implementation of the security system and method of thepresent invention to ensure that the servers may not access each other'sdata even though their data is maintained in the same physical library.

Data tape library 200 employing a preferred embodiment of the presentsystem and method is illustrated in FIG. 2 as an example of a librarythat may be employed as library 108 of FIG. 1. However, other librarydesigns and/or capacities may embody the present system and method.Exemplar data tape library 200 has four FC tape drives 201-204 servingas data transfer elements; forty media storage slots 205 organized intofour trays 206-209 of ten slots 205 each; two FC-to-SCSI bridges 210 and211; a library management interface card or remote management card (RMC)212; library controller 213 and robotic media transport 220. Thebridges, drives, transport, RMC and controller are preferablyinterconnected by inter-integrated circuit bus (12C) 214. Additionally,drives 201-204 and library controller 213 preferably communicate witheach other using dedicated automated control interface (ACI) links221-224 or the like, independently extending between each drive 201-204and controller 213. Preferably, each drive is a FC device and has a FCaddress on a SAN with which the library is associated.

For partitions employed by a preferred embodiment of the present systemand method, a subset of media slots 205 and tape drives 201-204 shouldbe assigned to each partition, and a virtual library controller ordedicated virtual library changer device should be addressable withrespect to each partition for control of library robotic media transport220. The example partitioning shown in FIG. 2 is indicated by boxes 215,216 and 217. As illustrated, SCSI LUN0 (230) corresponds to partition215, SCSI LUN1 (231) corresponds to partition 216 and SCSI LUN2 (232)corresponds to partition 217. Mailslots or import/export elements may beassigned to each partition or configured for use by the entire library.Preferably, easily accessible media storage slots are configured asmailslots.

Preferably, a FC device in each partition, such as drives 201-204, mayhost one or more FC LUNs. SCSI commands to the drive itself arepreferably directed to LUN 0. Each drive may present a virtualcontroller as surrogate LUN1. Preferably, only one drive in a partitionpresents a virtual controller for that partition. Controller 213dictates which drive in a partition presents the virtual controller.Controller 213 configures the drive to provide the virtual controllervia ACI 221, 222, 223 or 224.

SCSI commands to a virtual controller LUN received by a drive are passedto controller 213 over the drive's ACI. Controller 213 sends SCSIresponses back to the drive over the drive's ACI 214. The drive, inturn, sends these SCSI responses over the FC SAN from the virtualcontroller LUN. The SCSI commands and responses are preferably sent overthe ACI in a suitable form, packaged as an ACI message packet. Thedrive's firmware preferably supports functionality to facilitate hostingthe virtual controller or surrogate LUN and pass back and forth SCSImessages to and from controller 213 over the drive's ACI. It isirrelevant to a drive which partition it is in, nor is it pertinent to adrive which logical controller is being addressed by an SCSI command.Controller 213 determines and maintains which drive of a partition ishosting the logical controller LUN. So, since the ACI is apoint-to-point connection, as opposed to a bus (i.e. there is an ACIport on the controller for each drive, each of which connects to onlyone drive), when controller 213 receives SCSI commands over an ACI link,the commands are addressed to one particular logical controller.Therefore, when controller 213 receives a SCSI command from a logicalcontroller of a drive, controller 213 can identify the partition basedon the originating drive.

For each partition configured there will be one drive that hosts thelogical controller LUN for that partition. As indicated above, the drivehosting the logical controller for the partition is determined bycontroller 213. Advantageously, if a drive in a partition fails, or isinadvertently disconnected from the FC SAN, the controller may configureone of the other drives in the partition to take over the logicallibrary LUN hosting for that partition.

Access to existing stand-alone native FC devices may be restricted byusing switch zoning, as discussed above. This is facilitated by theone-to-one relationship between an existing stand-alone FC drive and anaccessing user's WWN. However, in a partitioned SCSI data library,library controller 213 is preferably placed behind a bridge, such asFC-to-SCSI bridge(s) 210 and/or 211. In such a situation, configuring anFC switch for switch zoning to secure controller 213 adds a process fora SAN administrator to implement and coordinate with users. FC switchconfiguration is not traditionally under control of a library managementcard and manual configuration of switch zoning is prone to error.

In accordance with the present inventive system and method native FCtape drives 201-204 may support security based on WWN or other uniquehost device identifiers without the need for switch zoning and therelated manual configuration. To provide a more usable one-stepconfiguration process such security may be established and modified viamanagement card 212.

If all the tape drives 201 through 204 deployed in library 200 are FCtape drives and library controller 213 is not on a common bus with anFC-to-SCSI bridge, such as bridges 210 or 211, the library can beconfigured so that an instance of the library controller, one perpartition, is accessed as surrogate LUNs 230, 231 and 232, via one tapedrive in each partition. In the example illustrated in FIG. 2, surrogateLUN0 (230) for partition 215 is provided by drive 201 while surrogateLUN1 (231) and surrogate LUN2 (232) are provided by drives 203 and 204,respectively, for partitions 216 and 217, respectively. The FC securityof tape drives 201-204 and library controller LUN(s) 230-232 ispreferably configured by a user via RMC 212. Additionally, RMC 212defines which tape drives are in which partition.

To provide security in this fibre channel environment, a user may alsoconfigure which SAN hosts have access to partition resources such astape drives, library controller and media in each partition, via acontrol interface of RMC 212. This security configuration may be carriedout via a web browser interface or via a network management protocolinterface. For example, the user may select an active partition andconfigure the partition to either be unsecured, allowing all hostsaccess, or restrict access to a list of host WWNs or similar unique hostdevice identifiers. To provide maximum flexibility, by default apartition's security level is preferably set to unsecured. To preventall hosts from accessing a partition, the partition may be configuredwith an empty list of WWNs. Conversely, access by all hosts to disabledresources not in an active partition is preferably restricted.

Preferably, the security configuration of a tape drive applies to accessto the tape drive itself, which will include any extended third-partycopy command, such as ZDBs, that the tape drive supports. The securityconfiguration of a tape drive will also preferably apply to any librarycontroller surrogate LUN 230 through 232 the tape drive is hosting orsupporting. Preferably, RMC 212 has no need to know which tape drive ina partition is hosting a surrogate LUN. Preferably, all tape drives in apartition have the same security settings. Therefore, as long as one ofthe tape drives in a partition hosts a surrogate LUN, for example asshown for partition 215 of FIG. 2, the surrogate LUN 230 and drives 201and 202 under the surrogate LUN will have the required security settingsapplied. Preferably, as discussed above, the firmware of the librarycontroller determines which tape drive holds the library controllersurrogate LUN for that partition. Alternatively, the firmware of thecontroller and the firmware of the tape drives may negotiate as to whichtape drive holds the library controller surrogate LUN for eachpartition.

Preferably, a FC drive blocks the ability for a host connected to theassociated SAN to see the drive. In other words, the drive does notrespond to any SCSI commands (e.g. SCSI inquiry, etc.) based on thehost's WWN. However, because the WWN is not sent in each SCSI command, adrive preferably filters based on source ID for the host assigned by aname server, as detailed below.

When a partition is reconfigured, the PC security settings of a tapedrive are preferably reconfigured. RMC 212 sends a securityconfiguration request to library controller 213 over I²C bus 214.According to a preferred embodiment, library controller 213 passes thesecurity configuration request, in the format of a special ACI command,to the tape drive(s) via the ACI port of the tape drive(s). Since theFC-LUN security in the tape, drives is configured out-of-band via theACI, the SCSI bus used to carry data to and from the drive need not beused to configure security.

FC commands generally do not contain the WWN of the originating host.However, FC commands use a source ID. Therefore, in accordance with thepresent invention a tape drive should also maintain an FC sourceID-to-WWN mapping. The tape drive should gather information regardingsource ID-to-WWN mappings from a SAN-associated name server at login,and issue a request state change notification to the name server to beinformed of any changes in these mappings. If new WWNs are added to asecurity look-up table maintained by an FC tape drive, the drive shouldquery the name server for the source ID of this new WWN. Preferably, thesource ID of each incoming command, whether issued to a tape drive or asurrogate LUN hosted by an FC tape drive, will be compared against theFC drive or surrogate LUN's security configuration and used to determinesecurity access. If the source ID matches the source ID mapped to a WWNin the tabulated security settings then access is allowed. If thesecurity setting for the drive or surrogate LUN is unsecured then accessis allowed regardless of the source ID.

If security access to a partition is changed then the new securitysettings of that partition will preferably be sent to all tape drives inthe partition. When a tape drive's firmware receives a securityconfiguration request over the ACI it should erase its current securitysettings and then store in non-volatile random access memory (NVRAM) thenew list of authorized WWNs, or an unsecured setting, contained in thesecurity configuration request. A security configuration request to eachaffected FC tape drive may contain a list of authorized WWNs for thatdevice. Where a library partition is unsecured and thus available to anyinitiator WWN, a security configuration request will leave a driveunsecured. The default configuration for a tape drive is preferablyunsecured. Finally, if a security configuration request establishes anempty list of WWNs for a tape drive, the tape drive should not be partof an active partition and is thus disabled preferably disallowing onlyaccess at all to the drive by any user.

The library management firmware can use a security configuration requestto clear any security information to an unsecured state. This may berequired if the user wishes to set the library back to factory defaultsor if the library management firmware detects a replacement FC tapedrive that contains security information from another library whichneeds to be overwritten. If a tape drive is added or removed from apartition, the security settings of that tape drive are preferablyaltered to reflect the security settings of the new partition.

As noted above, preferably, only firmware modifications to an existinglibrary are required to employ the present invention. The modificationsmay need to be made to tape drive firmware to implement surrogate LUNfunctionality and to implement WWN-based filtering. The firmware of thelibrary controller may need to be modified to give the controller theability to configure the FC drives to use multiple logical controllersurrogate LUN functionality to configure the FC drives to use WWN basedfiltering on a per-partition basis. As pointed out above, preferably, nohardware modifications are required.

As one skilled in the art should recognize the present system and methodis well-suited for use with other types of drive to SAN interfaces, forexample internet small computer systems interface (iSCSI). Preferably,the only change for iSCSI devices to use the present system and methodis that the iSCSI equivalent of the FC source ID and/or WWN, such asiSCSI name, is used to authenticate initiators for access to secureddevices.

1. A storage area network associated data library partitioning systemcomprising: a plurality of storage slot elements adapted to store datastorage media, at least one set of at least one of said slots isassigned to one partition of a plurality of partitions; a plurality ofdata transfer elements that are adapted to receive said media andtransfer data to and from said media, each of at least one set of atleast one of said data transfer elements is assigned to one of saidpartitions, at least one data transfer element of each of saidpartitions hosts a logical element designation of a virtual controllerfor each of said partitions, said virtual controllers restrictingmovement of said media to between said set of slots and said set of datatransfer elements assigned to a same of said partitions.
 2. The systemof claim 1 wherein at least one of said partitions is secured and accessto a particular one of said secured partitions is restricted to users ofsaid library having a unique host device identifier that is listed in alist of unique host device identifiers for access to said particularpartition.
 3. The system of claim 2 wherein a blank listing of uniquehost device identifiers for a secured partition results in said securedpartition being secured from access by any users.
 4. The system of claim2 wherein said list of unique host device identifiers is maintained byat least one data transfer element in each of said partitions.
 5. Thesystem of claim 2 wherein said unique host device identifiers are worldwide names.
 6. The system of claim 2 wherein said unique host deviceidentifiers are iSCSI names.
 7. The system of claim 1 wherein at leastone of said partitions is unsecured allowing access to said unsecuredpartitions by any user of said library.
 8. The system of claim 1 whereinat least one of said elements is disabled and said at least one disabledelements may not be accessed by any users.
 9. The system of claim 1wherein said data transfer elements are fiber channel connected datatape drives.
 10. The system of claim 1 wherein said logical elementdesignations are small computer systems interface logical unit numbers.11. The system of claim 10 wherein said virtual controller logical unitnumbers are arranged under a small computer systems interfaceidentification of said library.
 12. A method for partitioning a storagearea network associated data library comprising: establishing aplurality of partitions in said data library, each of said partitionscomprising at least one storage slot element and at least one datatransfer element, each of said slots adapted to store media, and each ofsaid data transfer elements adapted to receive said media and transferdata to and from said media; assigning a different logical elementdesignation to each of said library partitions and assigning a samelogical element designation as a partition to a virtual controllerhosted by at least one of said data transfer elements in said partition;and restricting movement of said media to between said slots and saiddata transfer elements assigned to a same partition,
 13. The method ofclaim 12 further comprising: securing selected ones of said partitionsby assigning a list of unique host device identifiers which may accesseach of said partitions.
 14. The method of claim 13 further comprising:maintaining said list of unique host device identifiers that may accessa partition in at least one of said data transfer elements in saidpartition.
 15. The method of claim 13 further comprising: securingselected ones of said partitions by allowing no users to access apartition having a blank list of unique host device identifiers.
 16. Themethod of claim 12 further comprising: disabling at least one of saidelements; and preventing access to said at least one disabled elementsby any user.
 17. The method of claim 12 wherein said logical elementdesignations are small computer systems interface logical unit numbers.18. A partitioned storage area network with an associated data library,said network comprising: a data storage array that is divided intopartitions, each of said partitions assigned a logical unit number;data-mover interconnectivity that extends between said data storagearray and said associated data library, via at least one bridge; alibrary management interface that accepts user input partitioning saidlibrary and assigns a logical unit number corresponding to logical unitnumbers of said array partitions to library partitions, each of saidlibrary partitions comprising: a set of at least one storage elementslot, each slot comprised of a plurality of storage element slots, saidslots are adapted to store data storage media; and a set of at least onedata transfer element, said data transfer elements are adapted toreceive said media and transfer data to and from said media, at leastone data transfer element in each of said partitions comprising avirtual controller that restricts movement of said media to between saidset of slots and said set of data transfer elements assigned to a samepartition; and at least one data mover for direct communication fromsaid array to said library.
 19. The network of claim 18 wherein saidpartitions are secured by assigning each of said partitions a list ofunique host device identifiers which may access that partition.
 20. Thenetwork of claim 19 wherein said list of unique host device identifiersfor a partition is maintained by at least one of said data transferelements in that partition.
 21. The network of claim 19 wherein saidunique host device identifiers are world wide names.
 22. The network ofclaim 19 wherein said unique host device identifiers are iSCSI names.23. The network of claim 18 wherein at least one of said elements isdisabled and said at least one disabled elements may not be accessed byany users.
 24. The network of claim 18 wherein at least one of said datamovers is disabled and said disabled data movers may not be accessed byany users.